設定網路原則伺服器計量Configure Network Policy Server Accounting

有三種類型的網路原則伺服器記錄(NPS):There are three types of logging for Network Policy Server (NPS):

  • 事件記錄Event logging. 主要用於稽核和疑難排解連線嘗試。Used primarily for auditing and troubleshooting connection attempts. 您可以設定 NPS 事件記錄取得 NPS 內容,在 NPS 主控台中。You can configure NPS event logging by obtaining the NPS properties in the NPS console.

  • 使用者驗證與帳戶處理要求記錄到本機檔案Logging user authentication and accounting requests to a local file. 主要用於連線分析及計費用途。Used primarily for connection analysis and billing purposes. 也很有用,做為安全性調查工具因為它會提供您追蹤活動的惡意使用者攻擊後方法。Also useful as a security investigation tool because it provides you with a method of tracking the activity of a malicious user after an attack. 您可以設定使用帳戶處理設定精靈 的本機檔案記錄。You can configure local file logging using the Accounting Configuration wizard.

  • 使用者驗證與帳戶處理要求記錄到 Microsoft SQL Server 符合 XML 資料庫Logging user authentication and accounting requests to a Microsoft SQL Server XML-compliant database. 用來允許執行 NPS,有一個資料來源的多部伺服器。Used to allow multiple servers running NPS to have one data source. 也提供使用關聯式資料庫的優點。Also provides the advantages of using a relational database. 您可以使用帳戶處理設定精靈來設定 SQL Server 記錄。You can configure SQL Server logging by using the Accounting Configuration wizard.

使用帳戶處理設定精靈Use the Accounting Configuration wizard

使用帳戶處理設定精靈,您可以設定下列四個帳戶處理設定:By using the Accounting Configuration wizard, you can configure the following four accounting settings:

  • SQL 記錄只SQL logging only. 藉由使用這項設定,您可以設定允許 NPS 連線至,並將計量資料傳送至 SQL server 的 SQL Server 的資料連結。By using this setting, you can configure a data link to a SQL Server that allows NPS to connect to and send accounting data to the SQL server. 此外,精靈可以設定 SQL Server,以確保相容於 NPS SQL server 記錄資料庫上的資料庫。In addition, the wizard can configure the database on the SQL Server to ensure that the database is compatible with NPS SQL server logging.
  • 僅文字記錄Text logging only. 藉由使用這項設定,您可以設定 NPS 帳戶資料記錄到文字檔。By using this setting, you can configure NPS to log accounting data to a text file.
  • 平行記錄Parallel logging. 藉由使用這項設定,您可以設定連結的 SQL Server 資料和資料庫。By using this setting, you can configure the SQL Server data link and database. 您也可以設定文字檔案記錄,讓 NPS 將同時記錄至文字檔案和 SQL Server 資料庫。You can also configure text file logging so that NPS logs simultaneously to the text file and the SQL Server database.
  • 使用備份的 SQL 記錄SQL logging with backup. 藉由使用這項設定,您可以設定連結的 SQL Server 資料和資料庫。By using this setting, you can configure the SQL Server data link and database. 此外,您可以設定 NPS 使用 SQL Server 記錄失敗時的文字檔案記錄。In addition, you can configure text file logging that NPS uses if SQL Server logging fails.

這些設定,除了 SQL Server 記錄檔和文字記錄可讓您指定 NPS 是否要繼續記錄失敗時處理連線要求。In addition to these settings, both SQL Server logging and text logging allow you to specify whether NPS continues to process connection requests if logging fails. 您可以指定這記錄失敗動作區段本機檔案記錄內容,在 SQL server 記錄內容中,以及當您執行 [帳戶處理設定精靈] 中。You can specify this in the Logging failure action section in local file logging properties, in SQL server logging properties, and while you are running the Accounting Configuration Wizard.

若要執行帳戶處理設定精靈To run the Accounting Configuration Wizard

若要執行 [帳戶處理設定精靈],完成下列步驟:To run the Accounting Configuration Wizard, complete the following steps:

  1. 開啟 NPS 主控台或 NPS Microsoft Management Console (MMC) 嵌入式管理單元。Open the NPS console or the NPS Microsoft Management Console (MMC) snap-in.
  2. 在主控台樹狀目錄中,按一下AccountingIn the console tree, click Accounting.
  3. 在 [詳細資料] 窗格中,在Accounting,按一下設定 AccountingIn the details pane, in Accounting, click Configure Accounting.

設定 NPS 記錄檔內容Configure NPS Log File Properties

您可以設定網路原則伺服器 (NPS) 執行遠端驗證撥入使用者服務 (RADIUS) 帳戶處理的使用者驗證要求、 Access-accept 訊息、 Access-reject 訊息、 帳戶處理要求和回應,並定期狀態更新。You can configure Network Policy Server (NPS) to perform Remote Authentication Dial-In User Service (RADIUS) accounting for user authentication requests, Access-Accept messages, Access-Reject messages, accounting requests and responses, and periodic status updates. 您可以使用此程序來設定您要存放計量資料記錄檔。You can use this procedure to configure the log files in which you want to store the accounting data.

如需有關如何解譯記錄檔的詳細資訊,請參閱 < 解譯 NPS 資料庫格式記錄檔For more information about interpreting log files, see Interpret NPS Database Format Log Files.

若要避免記錄檔填滿硬碟,強烈建議您將它們保存在磁碟分割以外的系統磁碟分割中。To prevent the log files from filling the hard drive, it is strongly recommended that you keep them on a partition that is separate from the system partition. 以下提供設定 NPS 帳戶處理的詳細資訊:The following provides more information about configuring accounting for NPS:

  • 若要傳送另一個處理序收集記錄檔資料,您可以設定 NPS 寫入具名管道。To send the log file data for collection by another process, you can configure NPS to write to a named pipe. 若要使用具名的管道、 設定記錄檔資料夾\。 \pipe 或\ComputerName\pipe。To use named pipes, set the log file folder to \.\pipe or \ComputerName\pipe. 具名的管道伺服器程式會建立稱為 「 具名的管道\.\pipe\iaslog.log 接受資料。The named pipe server program creates a named pipe called \.\pipe\iaslog.log to accept the data. 在 本機檔案內容 對話方塊中,在 建立新的記錄檔,永遠不會選取 (不限制的檔案大小) 當您使用具名管道。In the Local file properties dialog box, in Create a new log file, select Never (unlimited file size) when you use named pipes.

  • 可以在系統環境變數 (而不是使用者變數),例如 %systemdrive%、 %systemroot%和 %windir%中建立的記錄檔目錄。The log file directory can be created by using system environment variables (instead of user variables), such as %systemdrive%, %systemroot%, and %windir%. 例如,下列路徑,使用環境變數 %windir%,找出系統目錄的記錄檔中子資料夾 \System32\Logs (也就是 %windir%\System32\Logs)。For example, the following path, using the environment variable %windir%, locates the log file at the system directory in the subfolder \System32\Logs (that is, %windir%\System32\Logs).

  • 切換記錄檔格式,不會造成要建立新的記錄檔。Switching log file formats does not cause a new log to be created. 如果您變更記錄檔格式,在作用中變更的時間的檔案將包含混合的兩種格式 (記錄在記錄檔開始處會有先前的格式,並記錄在記錄檔結尾處會有新的格式)。If you change log file formats, the file that is active at the time of the change will contain a mixture of the two formats (records at the start of the log will have the previous format, and records at the end of the log will have the new format).

  • 如果 RADIUS 帳戶處理失敗,因為完整的硬碟磁碟機或其他原因,NPS 會停止處理連線要求,防止使用者存取網路資源。If RADIUS accounting fails due to a full hard disk drive or other causes, NPS stops processing connection requests, preventing users from accessing network resources.

  • NPS 可記錄到 Microsoft® SQL Server™ 資料庫,或 instead of 記錄到本機檔案。NPS provides the ability to log to a Microsoft® SQL Server™ database in addition to, or instead of, logging to a local file.

中的成員資格Domain Admins群組是要執行此程序,至少需要。Membership in the Domain Admins group is the minimum required to perform this procedure.

若要設定 NPS 記錄檔內容To configure NPS log file properties

  1. 開啟 NPS 主控台或 NPS Microsoft Management Console (MMC) 嵌入式管理單元。Open the NPS console or the NPS Microsoft Management Console (MMC) snap-in.
  2. 在主控台樹狀目錄中,按一下AccountingIn the console tree, click Accounting.
  3. 在 [詳細資料] 窗格中,在記錄檔內容,按一下變更記錄檔內容In the details pane, in Log File Properties, click Change Log File Properties. 記錄檔內容對話方塊隨即開啟。The Log File Properties dialog box opens.
  4. 記錄檔內容設定索引標籤記錄下列資訊,請確定您選擇要記錄足夠的資訊,以達到您的帳戶處理目標。In Log File Properties, on the Settings tab, in Log the following information, ensure that you choose to log enough information to achieve your accounting goals. 例如,如果您的記錄檔需要完成的工作階段相互關聯,請選取所有核取方塊。For example, if your logs need to accomplish session correlation, select all check boxes.
  5. 失敗動作記錄,選取記錄失敗時,捨棄連線要求如果想要 NPS 時停止處理 Access-request 訊息記錄檔已滿或無法使用基於某些原因。In Logging failure action, select If logging fails, discard connection requests if you want NPS to stop processing Access-Request messages when log files are full or unavailable for some reason. 如果您想要 NPS 以繼續處理連線要求,記錄失敗時,請勿選取此核取方塊。If you want NPS to continue processing connection requests if logging fails, do not select this check box.
  6. 記錄檔內容 對話方塊中,按一下記錄檔 索引標籤。In the Log File Properties dialog box, click the Log File tab.
  7. 在上記錄檔索引標籤中,於Directory,輸入您要存放 NPS 記錄檔的位置。On the Log File tab, in Directory, type the location where you want to store NPS log files. 預設位置是 systemroot\System32\LogFiles 資料夾。The default location is the systemroot\System32\LogFiles folder.
    如果您未提供的完整路徑陳述式記錄檔目錄,會使用預設路徑。If you do not supply a full path statement in Log File Directory, the default path is used. 例如,如果您鍵入NPSLogFile記錄檔目錄,檔案位於 %systemroot%\system32\npslogfile。For example, if you type NPSLogFile in Log File Directory, the file is located at %systemroot%\System32\NPSLogFile.
  8. 格式,按一下DTS 相容In Format, click DTS Compliant. 如果您想,您可以改為選取舊版檔案格式,例如ODBC(舊版) 或是IAS(舊版)If you prefer, you can instead select a legacy file format, such as ODBC (Legacy) or IAS (Legacy).
    ODBCIAS舊版的檔案類型包含的 NPS 傳送到其 SQL Server 資料庫的資訊子集。ODBC and IAS legacy file types contain a subset of the information that NPS sends to its SQL Server database. DTS 相容檔案類型的 XML 格式完全相同,NPS 會使用其 SQL Server 資料庫將資料匯入的 XML 格式。The DTS Compliant file type’s XML format is identical to the XML format that NPS uses to import data into its SQL Server database. 因此, DTS 相容檔案格式會提供更有效率且完整的資料傳輸到標準的 SQL Server 資料庫的 NPS。Therefore, the DTS Compliant file format provides a more efficient and complete transfer of data into the standard SQL Server database for NPS.
  9. 建立新的記錄檔,若要設定 NPS 以啟動新的記錄檔,以指定的間隔,按一下您想要使用的間隔:In Create a new log file, to configure NPS to start new log files at specified intervals, click the interval that you want to use:
    • 對於交易繁忙磁碟區與記錄活動,按一下每日For heavy transaction volume and logging activity, click Daily.
    • 對於較小的交易量與記錄活動,按一下每週或是每月For lesser transaction volumes and logging activity, click Weekly or Monthly.
    • 若要將所有交易都儲存在一個記錄檔中,按一下永不(無限制的檔案大小)To store all transactions in one log file, click Never (unlimited file size).
    • 若要限制每個記錄檔的大小,請按一下記錄檔達到此大小時,然後輸入檔案大小之後, 建立新的記錄。To limit the size of each log file, click When log file reaches this size, and then type a file size, after which a new log is created. 預設大小是 10 mb (MB)。The default size is 10 megabytes (MB).
  10. 如果您想要 NPS 在刪除舊的記錄檔,以建立新的記錄檔的磁碟空間接近容量的硬碟時,請確認當磁碟已完全刪除舊的記錄檔已選取。If you want NPS to delete old log files to create disk space for new log files when the hard disk is near capacity, ensure that When disk is full delete older log files is selected. 此選項不提供,不過,如果值建立新的記錄檔永不(不限制的檔案大小)This option is not available, however, if the value of Create a new log file is Never (unlimited file size). 此外,如果最舊的記錄檔是目前的記錄檔,它不會刪除。Also, if the oldest log file is the current log file, it is not deleted.

設定 NPS SQL 伺服器記錄Configure NPS SQL Server Logging

您可以使用此程序至執行 Microsoft SQL Server 的本機或遠端資料庫的記錄檔 RADIUS 帳戶處理資料。You can use this procedure to log RADIUS accounting data to a local or remote database running Microsoft SQL Server.

注意

NPS 帳戶處理資料格式化為 XML 文件傳送至report_event預存程序,在您指定在 NPS 中的 SQL Server 資料庫中。NPS formats accounting data as an XML document that it sends to the report_event stored procedure in the SQL Server database that you designate in NPS. SQL Server 記錄正常運作,您必須具有名為預存程序report_event SQL Server 資料庫來接收和剖析來自 NPS 的 XML 文件中。For SQL Server logging to function properly, you must have a stored procedure named report_event in the SQL Server database that can receive and parse the XML documents from NPS.

要完成此程序,至少需要的成員資格 Domain Admins 或同等權限。Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

若要設定 NPS 中的記錄的 SQL ServerTo configure SQL Server logging in NPS

  1. 開啟 NPS 主控台或 NPS Microsoft Management Console (MMC) 嵌入式管理單元。Open the NPS console or the NPS Microsoft Management Console (MMC) snap-in.
  2. 在主控台樹狀目錄中,按一下AccountingIn the console tree, click Accounting.
  3. 在 [詳細資料] 窗格中,在SQL Server 記錄內容,按一下變更 SQL Server 記錄內容In the details pane, in SQL Server Logging Properties, click Change SQL Server Logging Properties. SQL Server 記錄內容對話方塊隨即開啟。The SQL Server Logging Properties dialog box opens.
  4. 記錄下列資訊,選取您想要記錄的資訊:In Log the following information, select the information that you want to log:
    • 若要記錄所有帳戶處理要求,按一下帳戶處理要求To log all accounting requests, click Accounting requests.
    • 若要記錄驗證要求,請按一下驗證要求To log authentication requests, click Authentication requests.
    • 若要記錄定期帳戶處理狀態,按一下定期帳戶處理狀態To log periodic accounting status, click Periodic accounting status.
    • 若要記錄定期狀態,例如暫時帳戶處理要求,按一下定期狀態To log periodic status, such as interim accounting requests, click Periodic status.
  5. 若要設定執行 NPS 和 SQL Server 的伺服器之間所允許的並行工作階段數目,輸入中的數字並行工作階段的最大數目To configure the number of concurrent sessions allowed between the server running NPS and the SQL Server, type a number in Maximum number of concurrent sessions.
  6. 若要設定 SQL Server 資料來源,在SQL Server 記錄,按一下設定To configure the SQL Server data source, in SQL Server Logging, click Configure. 資料連結屬性對話方塊隨即開啟。The Data Link Properties dialog box opens. 連線索引標籤上,指定下列項目:On the Connection tab, specify the following:
    • 若要指定儲存資料庫的伺服器名稱,輸入或選取中的名稱選取或輸入伺服器名稱To specify the name of the server on which the database is stored, type or select a name in Select or enter a server name.
    • 若要指定用來登入伺服器的驗證方法,請按一下使用 Windows NT 整合式安全性To specify the authentication method with which to log on to the server, click Use Windows NT integrated security. 或者,按一下使用特定的使用者名稱和密碼,然後輸入中的認證使用者名稱密碼Or, click Use a specific user name and password, and then type credentials in User name and Password.
    • 若要允許空白密碼,請按一下空白密碼To allow a blank password, click Blank password.
    • 若要儲存的密碼,按一下允許儲存密碼To store the password, click Allow saving password.
    • 若要指定要連接到執行 SQL Server 的電腦上的資料庫,請按一下選取 在伺服器上的資料庫,然後從清單中選取 資料庫名稱。To specify which database to connect to on the computer running SQL Server, click Select the database on the server, and then select a database name from the list.
  7. 若要測試 NPS 與 SQL Server 之間的連線,請按一下測試連接To test the connection between NPS and SQL Server, click Test Connection. 按一下 確定以關閉資料連結屬性Click OK to close Data Link Properties.
  8. 失敗動作記錄,選取啟用容錯移轉的文字檔案記錄是否要讓 NPS 在文字檔案記錄 SQL Server 記錄失敗時繼續執行。In Logging failure action, select Enable text file logging for failover if you want NPS to continue with text file logging if SQL Server logging fails.
  9. 失敗動作記錄,選取記錄失敗時,捨棄連線要求如果想要 NPS 時停止處理 Access-request 訊息記錄檔已滿或無法使用基於某些原因。In Logging failure action, select If logging fails, discard connection requests if you want NPS to stop processing Access-Request messages when log files are full or unavailable for some reason. 如果您想要 NPS 以繼續處理連線要求,記錄失敗時,請勿選取此核取方塊。If you want NPS to continue processing connection requests if logging fails, do not select this check box.

Ping 使用者名稱Ping user-name

有些 RADIUS proxy 伺服器與網路存取伺服器定期傳送 (又稱為 ping 要求) 的驗證和帳戶處理要求,以確認 NPS 在網路上。Some RADIUS proxy servers and network access servers periodically send authentication and accounting requests (known as ping requests) to verify that the NPS is present on the network. 這些 ping 要求包括虛構的使用者名稱。These ping requests include fictional user names. 當 NPS 處理這些要求時,存取拒絕記錄,因此更難以追蹤有效記錄的事件與帳戶處理記錄檔變得填滿。When NPS processes these requests, the event and accounting logs become filled with access reject records, making it more difficult to keep track of valid records.

當您設定的登錄項目ping 使用者名稱,NPS 會比對 ping 要求中的使用者名稱值的登錄項目值對其他伺服器。When you configure a registry entry for ping user-name, NPS matches the registry entry value against the user name value in ping requests by other servers. A ping 使用者名稱登錄項目會指定 RADIUS proxy 伺服器與網路存取伺服器所傳送的虛構使用者名稱 (或使用者名稱,變數使用,符合模式的虛構使用者名稱)。A ping user-name registry entry specifies the fictional user name (or a user name pattern, with variables, that matches the fictional user name) sent by RADIUS proxy servers and network access servers. 當 NPS 收到符合的 ping 要求ping 使用者名稱登錄項目值,NPS 會拒絕驗證要求而不需處理要求。When NPS receives ping requests that match the ping user-name registry entry value, NPS rejects the authentication requests without processing the request. NPS 不會記錄交易涉及的虛構的使用者名稱中任何記錄檔,讓您更輕鬆地解譯事件記錄檔。NPS does not record transactions involving the fictional user name in any log files, which makes the event log easier to interpret.

Ping 使用者名稱預設並未安裝。Ping user-name is not installed by default. 您必須新增ping 使用者名稱至登錄。You must add ping user-name to the registry. 您可以使用登錄編輯程式登錄新增項目。You can add an entry to the registry using Registry Editor.

警告

不正確地編輯登錄可能會對系統造成嚴重的損害。Incorrectly editing the registry might severely damage your system. 變更登錄之前,您應該先備份電腦所有的重要資料。Before making changes to the registry, you should back up any valued data on the computer.

將 ping 使用者名稱新增至登錄To add ping user-name to the registry

Ping 使用者名稱可以加入下列登錄機碼的字串值的本機 Administrators 群組成員:Ping user-name can be added to the following registry key as a string value by a member of the local Administrators group:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IAS\Parameters

  • 名稱: ping user-nameName: ping user-name
  • 型別: REG_SZType: REG_SZ
  • 資料:使用者名稱Data: User name

提示

若要表示多個使用者名稱ping 使用者名稱值,請輸入名稱模式,例如 DNS 名稱,包括中的萬用字元資料To indicate more than one user name for a ping user-name value, enter a name pattern, such as a DNS name, including wildcard characters, in Data.